Stability vs. Security vs. Functionality

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


In the world of GNU/Linux there are a number of well known Enterprise distributions and distributions that have gained a reputation for stability and reliability. Primarily, Red Hat Enterprise Linux boasts itself as the number one enterprise distribution and Debian also has a reputation among sys-admins for being rocksteady.

These distributions are reliable and stable, however that comes at a cost. Recent releases of software often have bugs and/or security flaws in them, which puts people off upgrading to them until the bugs have been worked out. It's this mantra that Debian and Redhat adopt to gain their reputation for reliability. Sadly, the recently released software also has all the latest security patches and new features.

This creates a trade off between running the latest software which is patched for all known bugs and has more functionality and running older software which is more reliable, but comes with less features and doesn't have the latest patches.

Of course, Redhat and other vendors do backport security patches when flaws are found, and Redhat have their Fedora project which is at the bleeding edge of software releases, but I think the days of large distributions running far out-dated software are coming to an end. Back porting patches in this manner is effective, but usually only done once a compromise has actually been exploited, rather than when the upstream software has fixed the bug, and the time difference between the two can be great. Debian has within the past few years started catching up with the latest upstream software and I think this is the right track.

Some of you may have already worked out that the recent Exim remote root exploit has triggered this post. More information can be found at http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/ and https://rhn.redhat.com/errata/RHSA-2010-0970.html.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Firewalls... there for a reason

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


Everyone knows the necessity of firewalls on a modern computer systems, protecting all the way from the heavy iron down to your home PC, however I've noticed a strange trend in companies to just not bother with software firewalls at all.

I know most companies have many firewall appliances which restrict access to various parts of their network and combined with correct routing can lock down a network very tightly, however I always think it's paramount to run software firewalls on all your boxes.

No one designs their network to get attacked, however any network that has been in production for several years will have been changed, re-patched, ammended, VLANs updated, routes added, that temporary firewall rule exception you added to grant an entire subnet access on all ports just because you couldn't see why you were getting connection errors. It's only natural that in that time mistakes will get made, possibly giving a small opening to someone you don't want in your network, and with the plethora of complex network penetration/hacking scripts about, it only takes one script to go un-noticed for a couple of months, probing and prodding at your network and it could have found a way through your to some very sensitive parts of your infrastructure.

Software firewalls certainly shouldn't be your only protection, however I would consider them the first and last line of defense. For shared hosting web servers they are the first line of defense against a nasty binary that has been uploaded through an insecure PHP script. For internal and backend systems such as database servers they are the last line of defense when someone has managed to get through the rest of your network security and is one step away from brute forcing your MySQL logins.

One excuse that is given is that it adds undue load to a server, yes, to a degree this is correct, however if you've got a server that has so many hundreds of thousands of connections that a software firewall is bogging it down, you should really look at some kind of load-balancing so that you can spread that load over more hardware.

Having spent most of my career working in Shared Hosting environments, we actively open up our networks to potential compromise. Anyone can buy shared hosting for very little money and run pretty much any PHP/Ruby/Perl/Python script they wish, and with the advent of more and more Wordpress and Joomla exploits, it doesn't take long before you'll find some shady scripts attempting to be executed.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Desktop VMs with Virtualbox

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


I've recently been doing some development of a cluster of machines, obviously virtualization is the way to go.

To this end I've been using Virtualbox a great deal. I'm not really a great fan of Oracle, either with their flagship DB,or with some of the decisions they've made surrounding MySQL since they acquired it from Sun. However along with their acquisition of Sun they got Virtualbox, and in my eyes it can do no wrong.

It's a very simple, lightweight hypervisor with good support for a range of guest OS's. I've not yet found one that won't install SuSE, CentOS, Redhat, CentOS 4/5/6, Ubuntu, Debian, Open Solaris, (I've not tried silly examples like Windows 95).


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Disks failing everywhere

Posted: 2013-01-15 20:49:36 by Alasdair Keyes

Direct Link | RSS feed


It must the the lovely "sunny" weather England is experiencing at the moment, I've had three hard disks fail on me today, one in my desktop and two in servers


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Slow DHCP and the lack of Portfast

Posted: 2013-01-14 14:05:50 by Alasdair Keyes

Direct Link | RSS feed


If you're using DHCP and it seems to be taking a long time to get an Address from your server, check that Portfast is enabled in your switch config.

The config setting will be specific to your brand of switch, but it enabled good fast PXE booting for me.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Ave Maria

Posted: 2012-12-06 19:01:31 by Alasdair Keyes

Direct Link | RSS feed


What does your database choice say about you?

Well, I don't know if they actually do say anything, however I've been using MySQL for a long time. If I need a database for a project, either for work and personal I fall back to MySQL, it's like the comfy old pair of shoes that you always wear because you know where you are with them and it always feels comfortable.

I dabbled a bit with Oracle at uni and dipped my toe in the Postgres waters a couple of years ago to see what the fuss was about. Both seemed very functional, however my only reason not to switch was that I was comfortable with MySQL. As a developer I know the SQL syntax to do pretty much most things I'd want to do and as a Sys Admin, I know how to set it up in multiple configurations, upgrade it, manage it and debug issues. Beyond that I'd got a lot of projects currently running on it and no one needs the headache of changing a core part of a system such as the database, as the saying goes... "If it ain't broke..."

Those who follow such things will be aware that MySQL has had a somewhat rocky history over the past few years with, being bought in 2008 by Sun and then acquired by Oracle a couple of years later. This has worried a lot of people, after all what would Oracle want with a free Database solution that might take business away from their high-end, uber-expensive prized product?

I have to say, I'm also a little concerned so I've been following MariaDB with some interest recently. MariaDB is a drop-in replacement for MySQL forked from the MySQL community version. It also has a few extensions and little extras of it's own should you want to use them but still maintains the backwards compatibility with MySQL. They very nicely also provide repositories for some of the main Linux distributions CentOS, Debian, Fedora, Redhat and Ubuntu, so you can get the latest and greatest versions and bug fixes all at the cost of adding a repository into your package management system.

I'm not sure I want to migrate my work systems to it yet, however I think I'll be giving it a go for some of my new projects.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Coding by famous Authors

Posted: 2012-08-24 15:24:49 by Alasdair Keyes

Direct Link | RSS feed


Here's a bit of light-hearted techy humour for those who like to code..

http://byfat.xxx/if-hemingway-wrote-javascript

I'm quite taken with the Shakespeare version.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Sendmail takes a long time to start

Posted: 2012-07-26 13:39:39 by Alasdair Keyes

Direct Link | RSS feed


I had someone come to me today with a CentOS 5.x machine that was taking upwards of 10 minutes to get to the login prompt.

When I rebooted the box, It hung for a long time on Sendmail and the Sendmail sm-client services

Starting Sendmail:

Between the two of them they took over 8 minutes to start. Helpfully /var/log/messages and /var/log/maillog didn't have any entries about why it took so long. After a bit of poking it turns out that he had changed the hostname from kvmhost01.local to kvmhost01.testlocal but hadn't updated /etc/hosts so sendmail couldn't find the IP associated with the hostname.

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       kvmhost01.testlocal localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

It's only a small thing but obviously makes a big difference to Sendmail.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Network Ranges By Country/Continent

Posted: 2012-04-05 12:46:45 by Alasdair Keyes

Direct Link | RSS feed


Whilst investigating the source of some network attacks this morning, I came across the following website

http://www.countryipblocks.net

It provides lists of Network blocks by Country/Continent, if you notice a large number of attacks from a specific geographical area, you can find other IP blocks from the same area to add firewall rules.

According to the website, the data may become a paid-for service soon, so you may want to get the information while it's free!


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

KVM Console Not working

Posted: 2011-11-25 13:09:11 by Alasdair Keyes

Direct Link | RSS feed


I've noticed that with KVM virtual machines, the kvm console <domainid> doesn't appear to work, when running you get

# virsh console MyVM
Connected to domain MyVM
Escape character is ^]

Hitting enter gives you nothing It appears that this isn't bug with KVM, rather the Guest OS isn't aware that it should start up a ttyS for KVM to connect to. When starting the machine, enter into grub and add the following to the kernel options...

console=ttyS0,115200

Then when the virtual machine starts you can connect again using virsh and hit enter a couple of times

[root@inth1-vdc-lvh01 ~]# virsh console MyVM
Connected to domain MyVM
Escape character is ^]

CentOS Linux release 6.0 (Final)
Kernel 2.6.32-71.el6.x86_64 on an x86_64

centos-6-0 login:

Voila... Obviously this isn't going to work for Windows :)


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.